That might be another problem. I read on a bit more of what happended to cloudflare. Their TLS communication never went trough the parser that had the bug. But the reason we should change the password is because of the TLS key exchange was cought in the bug.